Closed
Bug 301678
Opened 19 years ago
Closed 19 years ago
[FIX]xml object parsed from string from flash throws permission denied error when accessed
Categories
(Core :: XML, defect)
Core
XML
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: themaker, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.1, verified1.8.0.1)
Attachments
(1 file)
|
1.37 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.0.1+
dveditz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 An xml string (ie. "<xml>...</xml>") passed from a flash app via fscommand to javascript can be parsed into an xml object but that object cannot be accessed. Any attempt to read it throws the following error: Error: [Exception... "'Permission denied to get property XMLDocument.firstChild' when calling method: [FlashIObject::evaluate]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no] Reproducible: Always Steps to Reproduce: 1. Goto: http://www.burningmoth.com/projects/moztest/moztest.html 2. Click on the "Click Me" flash button. 3. There are three steps showing a progression of successful events. If the last step does not appear, check the JS Console to view the error. Actual Results: The error is thrown. Permissioned denied for xml object. The alert for step three never appears. Expected Results: One should have permissions to read from and write to the xml document created. This was not an issue in Firefox 1.0.4. I tested it in Mozilla Seamonkey 1.7.5 and there are no problems. Script works as expected.
|
||
Comment 1•19 years ago
|
||
If Firefox 1.0.6 on WinXPSP2 Step 1, 2 execute and then Error: [Exception... "'Permission denied to get property XMLDocument.firstChild' when calling method: [FlashIObject::evaluate]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no] In DeerPark I get Step 1, then Error: [Exception... "'Permission denied to call method DOMParser.parseFromString' when calling method: [FlashIObject::evaluate]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]
Assignee: nobody → dbradley
Status: UNCONFIRMED → NEW
Component: General → XPConnect
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → pschwartau
Version: unspecified → 1.0 Branch
|
||
Comment 2•19 years ago
|
||
I have also encountered a similar error when clicking a link in a Flash in FF that calls out via fscommand to a script that attempts to create a javascript Image object. When setting the properties on the object the following error is thrown and the script fails (example is of setting the id property): Error: [Exception... "'Permission denied to set property HTMLImageElement.id' when calling method: [FlashIObject::evaluate]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no] Found on: Windows XP SP2,Windows 2000 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
|
Assignee | |
Comment 3•19 years ago
|
||
Not an XPConnect issue... The object principal here is resource://gre/res/hiddenWindow.html (presumably because the script from the plugin that called us is running on the hidden window's safe JS context?). But the subject principal here is http://www.burningmoth.com/projects/moztest/moztest.html (as expected). So you get a security exception thrown, since those have different origins... Note that we do get the right subject principal in ParseFromStream() in the DOMParser. But we somehow end up with the wrong one in the end on the XMLDocument the DOMParser produces...
Assignee: dbradley → nobody
Component: XPConnect → Plug-ins
QA Contact: pschwartau → plugins
|
|
Assignee | |
Comment 4•19 years ago
|
||
Actually, this is a DOMParser bug all the way....
Assignee: nobody → xml
Component: Plug-ins → XML
OS: Windows 2000 → All
QA Contact: plugins → ashshbhatt
Hardware: PC → All
Summary: xml object parsed from string from flash throws permission denied error when accessed → [FIX]xml object parsed from string from flash throws permission denied error when accessed
Target Milestone: --- → mozilla1.9alpha
Version: 1.0 Branch → Trunk
|
|
Assignee | |
Comment 5•19 years ago
|
||
Ths issue is that the document only gets the principal off the channel owner if StartDocumentLoad resets. In this case it does not... We could probably make it reset if we moved the event listener addition to after StartDocumentLoad. Let me know if you want me to do that instead, ok?
Assignee: xml → bzbarsky
Status: NEW → ASSIGNED
Attachment #202338 -
Flags: superreview?(jst)
Attachment #202338 -
Flags: review?(jst)
|
||
Comment 6•19 years ago
|
||
Comment on attachment 202338 [details] [diff] [review] Patch Sounds reasonable. r+sr=jst
Attachment #202338 -
Flags: superreview?(jst)
Attachment #202338 -
Flags: superreview+
Attachment #202338 -
Flags: review?(jst)
Attachment #202338 -
Flags: review+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 8•19 years ago
|
||
*** Bug 320567 has been marked as a duplicate of this bug. ***
|
|
||
Comment 9•19 years ago
|
||
Comment on attachment 202338 [details] [diff] [review] Patch We should get this on the branch, it fixes a DOMParser/document.domain regression since 1.0.x and makes us more compatible with IE/Opera/Safari (see bug 320567).
Attachment #202338 -
Flags: approval1.8.0.1?
|
||
Comment 10•19 years ago
|
||
Do we know what the change is in 1.0.6 that caused the issue?
|
|
||
Comment 11•19 years ago
|
||
(In reply to comment #10) > Do we know what the change is in 1.0.6 that caused the issue? I don't know, I can't even reproduce this issue in 1.0.6 (maybe needs a specific Flash version?). However, it turns out that bug 320567 is not a regression since 1.0.x (it was broken there too), so I'm fine with dropping this one for 1.8.0.1 after all.
|
||
Comment 12•19 years ago
|
||
Comment on attachment 202338 [details] [diff] [review] Patch not 1.8.0.1, but might be appropriate for 1.8.1 (Firefox 2).
Attachment #202338 -
Flags: approval1.8.1+
Attachment #202338 -
Flags: approval1.8.0.1?
Attachment #202338 -
Flags: approval1.8.0.1-
|
|
Assignee | |
Comment 13•19 years ago
|
||
Note that I'm not sure what the effect of exposing the hidden window security context here is. That is, whether it can get us in trouble.
|
|
||
Comment 14•19 years ago
|
||
Comment on attachment 202338 [details] [diff] [review] Patch Fixes bug 320567 and others
Attachment #202338 -
Flags: approval1.8.0.1- → approval1.8.0.1?
|
|
Assignee | |
Comment 15•19 years ago
|
||
Fixed on 1.8 branch (just realized this got plussed for there). Not landed on 1.8.0.1 yet.
Keywords: fixed1.8.1
|
|
||
Comment 16•19 years ago
|
||
Comment on attachment 202338 [details] [diff] [review] Patch a=dveditz for drivers Boris clarified comment 13 in mail: "_without_ that patch we end up with objects floating around in the hands of untrusted script that have the hidden window security context, as far as I can see. _With_ the patch, the XMLDocument handed back from DOMParser has the right principal (that of the calling web page)." We do believe the hidden window has been de-fanged as a potential source of privilege escalation, but it's never completely safe when things have the wrong principal.
Attachment #202338 -
Flags: approval1.8.0.1? → approval1.8.0.1+
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.1+
Flags: blocking1.8.0.1+
|
||
Comment 18•19 years ago
|
||
verified fixed on the branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1. I followed the steps in the reporter's steps to reproduce and everything works fine.
Keywords: fixed1.8.0.1 → verified1.8.0.1
You need to log in
before you can comment on or make changes to this bug.
Description
•